Looking for how to query for users that are logging in via Remote Desktop which are not in a certain OU in Active Directory. The ldapsearch works on its own and the outer search works, but when trying to combine it I seem to get all results (users in the OU are showing in the results). Can someone help?
sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| fields _time, user, ComputerName | search NOT
[| ldapsearch domain=myDomain.com basedn="OU=My OU,DC=myDomain,DC=com" scope="sub" search="(objectClass=user)"
| rename sAMAccountName AS user
| fields user]
| table _time, user, ComputerName
I am trying to do something very similar with ldapsearch. Though didn't want to have to use a lookup file. any luck?
I did not get the subsearch method to work. I just pivoted to the saved search generating a lookup file which I use to filter results.
I actually got the subsearch ldapsearch to work correctly. My main mistake was assuming the data that was being returned was in the correct format and key value pair that I needed to make my main search to work.
So example if I expected the ldapsearch to result with a value of a Username, the actual result was a key value pair where the key was not a key that would work in my main search. I was able to see this happening when I looked at the "inspect Job" view.
So in my case I renamed the ldapsearch key to the key I needed in my second search.
Example:
sourcetype=events event_type=ME ( [|ldapsearch search=(&(objectClass=group)(cn=MYGROUP)) attrs="member"
|ldapfetch dn=member attrs=mail
|rename mail AS created_by_login |table created_by_login] )
|table created_by_login
worked great!!! I hope that helps you or others in the future.
A reasonable workaround is to generate a lookup table via a scheduled search and use it to filter the results.